neverallow transitions to shell
Only a few daemons need transition to shell. Prevent misuse and over-privileging of shell domain. Change-Id: Ib1a5611e356d7a66c2e008232c565035e3fc4956 Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
This commit is contained in:
William Roberts
parent
529a8634e1
commit
d1fa4d3d92
1 changed files with 13 additions and 0 deletions
13
domain.te
13
domain.te
|
|
@ -429,3 +429,16 @@ neverallow {
|
|||
# do not grant anything greater than r_file_perms and relabelfrom unlink
|
||||
# to installd
|
||||
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
|
||||
|
||||
#
|
||||
# Only these domains should transition to shell domain. This domain is
|
||||
# permissible for the "shell user". If you need a process to exec a shell
|
||||
# script with differing privilege, define a domain and set up a transition.
|
||||
#
|
||||
neverallow {
|
||||
domain
|
||||
-adbd
|
||||
-init
|
||||
-runas
|
||||
-zygote
|
||||
} shell:process { transition dyntransition };
|
||||
|
|
|
|||
Loading…
Reference in a new issue